netfilter: ipset: hash:net,iface timeout bug fixed

Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index 0e5c3cf7618abf3254f14ee1ebd34ae15275a407..05a5d72680bed904c23687a69e43a7759bc61848 100644 (file)
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -1005,9 +1005,17 @@ type_pf_ttest_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout)
                n = hbucket(t, key);
                for (i = 0; i < n->pos; i++) {
                        data = ahash_tdata(n, i);
+#ifdef IP_SET_HASH_WITH_MULTI
+                       if (type_pf_data_equal(data, d, &multi)) {
+                               if (!type_pf_data_expired(data))
+                                       return type_pf_data_match(data);
+                               multi = 0;
+                       }
+#else
                        if (type_pf_data_equal(data, d, &multi) &&
                            !type_pf_data_expired(data))
                                return type_pf_data_match(data);
+#endif
                }
        }
        return 0;